[dns-operations] NSEC3

Roy Arends roy at dnss.ec
Tue Jun 27 16:15:11 UTC 2006

On Jun 27, 2006, at 5:45 PM, Edward Lewis wrote:

> At 16:11 +0200 6/27/06, Roy Arends wrote:
>> On Jun 26, 2006, at 8:53 PM, Edward Lewis wrote:
>>>  I was told [that] to switch between NSEC and NSEC3 I would need  
>>> a completely
>>>  different code base and would have to cut over all of my  
>>> instances in
>>>  a flash - not just zone data but name server software.  To me,  
>>> that's
>>>  a high cost.
>> I do not recall this.
>> What I recall is that you indeed need new code to be able to support
>> NSEC3, surprise, surprise.
>> But that you can gradually roll-over, not 'cut over all of my  
>> instances in
>> a flash'.
> Along the line of being asked "why would you want to serve both  
> NSEC and NSEC3 at the same time?" it was said that a server  
> couldn't serve both up at the same time.

DNSSEC _responses_ to requests either contain NSEC or NSEC3 records.  
This is per ZONE based, not per SERVER.

A NSEC3 capable server can thus serve both NSEC for 'example.biz' and  
NSEC3 for 'example.com', if that box was authoritative for both.

>   That's not the same question, but I was told that a NSEC3 capable  
> authoritative server would not carry the NSEC code.

Whatever entity carries NSEC3 code will have to carry NSEC code.

> The rationale was that a server has to do very different processing  
> for NSEC and NSEC3, so how would it choose the code path?

non sequitur

> This was said by at least one implementer in the room, probably  
> without considering how it could be done.

I find that highly unlikely.

IIRC, every 'NSEC3 capable authoritative server' implementation that  
was present in that room is capable of serving both NSEC and NSEC3,  
with a granularity on a per zone basis.

I'd like that implementer to step forward, if he/she actually exists.


More information about the dns-operations mailing list